When updating defaults, process certain values fist since they can

influence how other defaults are parsed. Currently, runas_default and sudoers_locale are processed early.
2025-08-31 14:25:15 +00:00 · 2016-07-18 11:37:32 -06:00
parent eae8bc9d56
commit 6ddc95a47c
1 changed files with 44 additions and 21 deletions
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -76,6 +76,15 @@ static struct strmap priorities[] = {
 	{ NULL,		-1 }
 };

+/*
+ * Defaults values to apply before others.
+ */
+static const char *early_defaults[] = {
+    "runas_default",
+    "sudoers_locale",
+    NULL
+};
+
 /*
 * Local prototypes.
 */
@@ -528,39 +537,53 @@ update_defaults(int what)
 {
    struct defaults *def;
    bool rc = true;
+    int pass;
    debug_decl(update_defaults, SUDOERS_DEBUG_DEFAULTS)

-    TAILQ_FOREACH(def, &defaults, entries) {
-	switch (def->type) {
+    /*
+     * Run through the Defaulsts list twice.
+     * First, set early defaults, then set the rest.
+     */
+    for (pass = 0; pass < 2; pass++) {
+	TAILQ_FOREACH(def, &defaults, entries) {
+	    const char **early;
+
+	    /* Only do early defaults in pass 0, skip them in pass 1. */
+	    for (early = early_defaults; *early != NULL; early++) {
+		if (strcmp(def->var, *early) == 0)
+		    break;
+	    }
+	    if (!!*early == pass)
+		continue;
+
+	    switch (def->type) {
 	    case DEFAULTS:
-		if (ISSET(what, SETDEF_GENERIC) &&
-		    !set_default(def->var, def->val, def->op))
-		    rc = false;
+		if (!ISSET(what, SETDEF_GENERIC))
+		    continue;
 		break;
 	    case DEFAULTS_USER:
-		if (ISSET(what, SETDEF_USER) &&
-		    userlist_matches(sudo_user.pw, def->binding) == ALLOW &&
-		    !set_default(def->var, def->val, def->op))
-		    rc = false;
+		if (!ISSET(what, SETDEF_USER) ||
+		    userlist_matches(sudo_user.pw, def->binding) != ALLOW)
+		    continue;
 		break;
 	    case DEFAULTS_RUNAS:
-		if (ISSET(what, SETDEF_RUNAS) &&
-		    runaslist_matches(def->binding, NULL, NULL, NULL) == ALLOW &&
-		    !set_default(def->var, def->val, def->op))
-		    rc = false;
+		if (!ISSET(what, SETDEF_RUNAS) ||
+		    runaslist_matches(def->binding, NULL, NULL, NULL) != ALLOW)
+		    continue;
 		break;
 	    case DEFAULTS_HOST:
-		if (ISSET(what, SETDEF_HOST) &&
-		    hostlist_matches(sudo_user.pw, def->binding) == ALLOW &&
-		    !set_default(def->var, def->val, def->op))
-		    rc = false;
+		if (!ISSET(what, SETDEF_HOST) ||
+		    hostlist_matches(sudo_user.pw, def->binding) != ALLOW)
+		    continue;
 		break;
 	    case DEFAULTS_CMND:
-		if (ISSET(what, SETDEF_CMND) &&
-		    cmndlist_matches(def->binding) == ALLOW &&
-		    !set_default(def->var, def->val, def->op))
-		    rc = false;
+		if (!ISSET(what, SETDEF_CMND) ||
+		    cmndlist_matches(def->binding) != ALLOW)
+		    continue;
 		break;
+	    }
+	    if (!set_default(def->var, def->val, def->op))
+		rc = false;
 	}
    }
    debug_return_bool(rc);